Internet Engineering Task Force (IETF) P. Jain Request for Comments: 9489 A. Sajassi Category: Standards Track S. Salam ISSN: 2070-1721 Cisco S. Boutros Ciena G. Mirsky EricssonOctoberNovember 2023 Label Switched Path (LSP) Ping Mechanisms for EVPN and Provider Backbone Bridging EVPN (PBB-EVPN) Abstract Label Switched Path (LSP) Ping is a widely deployed Operation, Administration, and Maintenance (OAM) mechanism in MPLS networks. This document describes mechanisms for detecting data plane failures using LSP Ping in MPLS-based Ethernet VPN (EVPN) and Provider Backbone Bridging EVPN (PBB-EVPN) networks. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9489. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction 2. Specification of Requirements 3. Terminology 4. Target FEC Stack Sub-TLVs 4.1. EVPN MAC/IP Sub-TLV 4.2. EVPN Inclusive Multicast Sub-TLV 4.3. EVPN Ethernet Auto-Discovery (A-D) Sub-TLV 4.3.1. Ethernet Tag Value 4.3.2. Per-ES EVPN Auto-Discovery Route with Different RDs 4.3.3. EVPN VPWS 4.4. EVPN IP Prefix Sub-TLV 5. Encapsulation of OAM Ping Packets 6. Operations 6.1. Unicast Data Plane Connectivity Checks 6.2. Inclusive Multicast Data Plane Connectivity Checks 6.2.1. Ingress Replication 6.2.2. Using P2MP P-Tree 6.2.3. Controlling Echo Responses When Using P2MP P-Tree 6.3. EVPN Aliasing Data Plane Connectivity Check 6.4. EVPN IP Prefix (RT-5) Data Plane Connectivity Check 7. Security Considerations 8. IANA Considerations 8.1. Sub-TLV Type 8.2. New Return Codes 9. Normative References Acknowledgments Authors' Addresses 1. Introduction [RFC7432] describes MPLS-based EVPN technology. An EVPN comprises one or more Customer Edge devices (CEs) connected to one or more Provider Edge devices (PEs). The PEs provide Layer 2 (L2) EVPN among the CE(s) over the MPLS core infrastructure. In EVPN networks, the PEs advertise the Media Access Control (MAC) addresses learned from the locally connected CE(s), along with the MPLS label, to remote PE(s) in the control plane using multiprotocol BGP [RFC4760]. EVPN enables multihoming of CE(s) connected to multiple PEs and load balancing of traffic to and from multihomed CE(s). [RFC7623] describes the use of Provider Backbone Bridging EVPN. PBB- EVPN maintains the Customer MAC (C-MAC) learning in the data plane and only advertises Backbone MAC (B-MAC) addresses in a control plane using BGP. Procedures for simple and efficient mechanisms to detect data plane failures using LSP Ping in MPLS networks are well defined in [RFC8029] and [RFC6425]. The basic idea for the LSP Ping mechanism is to send an MPLS Echo Request packet along the same data path as data packets belonging to the same Forwarding Equivalent Class (FEC). The Echo Request packet carries the FEC being verified in the Target FEC Stack TLV [RFC8029]. Once the Echo Request packet reaches the end of the MPLS path, it is sent to the control plane of the egress PE. The Echo Request packet contains sufficient information to verify the correctness of data plane operations and validate the data plane against the control plane. The egress PE sends the results of the validation in an Echo Reply packet to the originating PE of the Echo Request packet. This document defines procedures to detect data plane failures using LSP Ping in MPLS networks deploying EVPN and PBB-EVPN. This document defines four new sub-TLVs for the Target FEC Stack TLV with the purpose of identifying the FEC on the egress PE. 2. Specification of Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Terminology A-D: Auto-Discovery B-MAC: Backbone MAC BUM: Broadcast, Unknown Unicast, and Multicast CE: Customer Edge device C-MAC: Customer MAC DF: Designated Forwarder ES: Ethernet Segment ESI: Ethernet Segment Identifier EVI: EVPN Instance Identifier that globally identifies the EVPN Instance EVPN: Ethernet Virtual Private Network FEC: Forwarding Equivalent Class G-ACh: Generic Associated Channel GAL: G-ACh Label MAC-VRF: A Virtual Routing and Forwarding table for MAC addresses on a PE ND: Neighbor Discovery OAM: Operations, Administration, and Maintenance P2MP: Point-to-Multipoint PBB-EVPN: Provider Backbone Bridging EVPN PE: Provider Edge device VPWS: Virtual Private Wire Service 4. Target FEC Stack Sub-TLVs This document introduces four new Target FEC Stack sub-TLVs that are included in the MPLS Echo Request packet. The Echo Request packets are used for connectivity checks in the data plane in EVPN and PBB- EVPN networks. The Target FEC Stack sub-TLVs MAY be used to validate that an identifier for a given EVPN is programmed at the target node. 4.1. EVPN MAC/IP Sub-TLV The EVPN MAC/IP sub-TLV identifies the target MAC, MAC/IP binding for ARP/ND, or IP address for an EVI under test at an egress PE. This sub-TLV is included in the Echo Request sent by an EVPN/PBB-EVPN PE to a peer PE. The fields of the EVPN MAC/IP sub-TLV are derived from the MAC/IP Advertisement route defined in Section 7.2 of [RFC7432] and have the format shown in Figure 1. The fields of the EVPN MAC/IP sub-TLV should be set according to the following, which is consistent with [RFC7432] and [RFC7623]: * The Ethernet Tag ID field can be 0 or a valid VLAN ID for EVPN VLAN-aware bundle service [RFC7432]. For PBB-EVPN, the value of this field is always 0 as per Section 5.2 of [RFC7623]. * The Ethernet Segment Identifier field is a 10-octet field. For EVPN, it is set to 0 for a single-homed ES or to a valid ESI ID for a multihomed ES. For PBB-EVPN, the Ethernet Segment Identifier field must be set to either 0 (for single-homed segments or multihomed segments with per-I-SID load balancing) or to MAX-ESI (for multihomed segments with per-flow load balancing) as described in Section 5.2 of [RFC7623]. * The MAC Addr Len field specifies the MAC length in bits. Only 48-bit MAC addresses are supported as this document follows the MAC address length supported by [RFC7432]. * The MAC Address field is set to the 6-octet MAC address. * The IP Address field is optional. When the IP Address field is not present, the IP Addr Len field is set to 0. When the IP Address field is present, the IP Addr Len field is in bits and is set to either 32 for IPv4 addresses or 128 for IPv6 addresses. * The Must Be Zero fields are set to 0. The receiving PE should ignore the Must Be Zero fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Route Distinguisher | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Tag ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Segment Identifier | | (10 octets) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Must Be Zero | MAC Addr Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | + (6 octets) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Must Be Zero | IP Addr Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address (0, 4 or 16 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: EVPN MAC/IP Sub-TLV Format The MPLS Echo Request is sent by the ingress PE using the EVPN MPLS label(s) associated with the MAC/IP Advertisement route announced by the egress PE and the MPLS transport label(s) to reach the egress PE. In EVPN, the MAC/IP Advertisement route has multiple uses and is used for the following cases: * This route with only a MAC address and MPLS Label1 is used for populating MAC-VRF and performing MAC forwarding. * This route with MAC and IP addresses and only MPLS Label1 is used for populating both MAC-VRF and ARP/ND tables (for ARP suppression) as well as for performing MAC forwarding. * This route with MAC and IP addresses and both MPLS Label1 and Label2 is used for populating MAC-VRF and IP-VRF tables as well as for both MAC and IP forwarding in the case of symmetric Integrated Routing and Bridging (IRB). When an MPLS Echo Request is sent by an ingress PE, the contents of the Echo Request and the egress PE mode of operation (i.e., IRB mode or L2 mode) along with EVPN MPLS label of the packet determine which of the three cases above this Echo Request is for. When the egress PE receives the EVPN MAC/IP sub-TLV containing only the MAC address, the egress PE validates the MAC state and forwarding. When the egress PE receives the EVPN MAC/IP sub-TLV containing both MAC and IP addresses and if the EVPN label points to a MAC-VRF, then the egress PE validates the MAC state and forwarding. If the egress PE is not configured in symmetric IRB mode, it also validates ARP/ND state. However, if the EVPN label points to an IP-VRF, then the egress PE validates IP state and forwarding. Any other combinations (e.g., the egress PE receiving the EVPN MAC/IP sub-TLV containing only the MAC address but with the EVPN label pointing to an IP-VRF) should be considered invalid, and the egress PE should send an Echo Reply with the appropriate Return Code to the ingress PE. 4.2. EVPN Inclusive Multicast Sub-TLV The fields of the EVPN Inclusive Multicast sub-TLV are based on the EVPN Inclusive Multicast Tag route defined in Section 7.3 of [RFC7432]. This TLV is included in the Echo Request sent to the EVPN peer PE by the originator of the request to verify the multicast connectivity state on the peer PE(s) in EVPN and PBB-EVPN networks. The EVPN Inclusive Multicast sub-TLV has the format shown in Figure 2. The fields of this sub-TLV should be set according to the following, which is consistent with [RFC7432] and [RFC7623]: * The Route Distinguisher (RD) field is a 10-octet field and is set to the RD of the MAC-VRF on the peer PE. * For EVPN, the Ethernet Tag ID field can be set to 0 or a valid VLAN ID for EVPN VLAN-aware bundle service [RFC7432]. For PBB- EVPN, the value of this field is set to the Service Instance Identifier (I-SID) value as per Section 5.3 of [RFC7623]. * The IP Addr Len field specifies the length of the Originating Router's IP Addr field in bits and is set to either 32 for IPv4 addresses or 128 for IPv6 addresses. * The Originating Router's IP Addr field is set to the IPv4 or IPv6 address of the peer PE. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Route Distinguisher | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Tag ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Addr Len | | +-+-+-+-+-+-+-+ | ~ Originating Router's IP Addr ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: EVPN Inclusive Multicast Sub-TLV Format BUM traffic can be sent using ingress replication or P2MP P-tree in EVPN and PBB-EVPN networks. When using ingress replication, the Echo Request is sent using a label stack of [Transport label, Inclusive Multicast label] to each egress PE participating in EVPN or PBB-EVPN. The Inclusive Multicast label is the downstream-assigned label announced by the egress PE to which the Echo Request is being sent. The Inclusive Multicast label is the inner label in the MPLS label stack. When using P2MP P-tree in EVPN or PBB-EVPN, the Echo Request is sent using a P2MP P-tree transport label for the Inclusive P-tree arrangement or using a label stack of [P2MP P-tree Transport label, upstream-assigned EVPN Inclusive Multicast label] for the Aggregate Inclusive P2MP P-tree arrangement as described in Section 6. In an EVPN network, to emulate traffic coming from a multihomed site, an additional EVPN Ethernet A-D sub-TLV in the Target FEC Stack TLV and an ESI Split Horizon Group MPLS label as the bottom label are also included in the Echo Request packet. When using P2MP P-tree, the ESI Split Horizon Group MPLS label is upstream assigned. Please see Section 6.2.2 for operations using P2MP P-trees. 4.3. EVPN Ethernet Auto-Discovery (A-D) Sub-TLV The fields in the EVPN Ethernet A-D sub-TLV are based on the EVPN Ethernet A-D route advertisement defined in Section 7.1 of [RFC7432]. The EVPN Ethernet A-D sub-TLV only applies to EVPN. The EVPN Ethernet A-D sub-TLV has the format shown in Figure 3. The fields of this sub-TLV should be set according to the following, which is consistent with [RFC7432]: * The Route Distinguisher (RD) field is a 10-octet field and is set to the RD of the MAC-VRF on the peer PE. Please see Section 4.3.2 for the case when a per-ES A-D route is announced with different RDs. * The Ethernet Tag ID field can be 0, MAX-ET, or a valid VLAN ID as described in Section 4.3.1. * The Ethernet Segment Identifier field is a 10-octet field and is set to 0 for a single-homed ES or to a valid ESI ID for a multihomed ES. * The Must Be Zero field is set to 0. The receiving PE should ignore the Must Be Zero field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Route Distinguisher | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Tag ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Segment Identifier | | (10 octets) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Must Be Zero | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: EVPN Ethernet A-D Sub-TLV Format 4.3.1. Ethernet Tag Value The EVPN Ethernet A-D sub-TLV can be sent in the context of per-ES or per-EVI. When an operator performs a connectivity check for the BUM L2 service, an Echo Request packet is sent and MAY contain the EVPN Ethernet A-D sub-TLV to emulate traffic coming from a multihomed site. In this case, the EVPN Ethernet A-D sub-TLV is added in the per-ES context. When an Echo Request packet is sent for the connectivity check for EVPN Aliasing state, the context for the EVPN Ethernet A-D sub-TLV is per-EVI. The Ethernet Tag field value in the EVPN Ethernet A-D sub-TLV MUST be set according to the context: * For the per-ES context, the Ethernet Tag field in the sub-TLV MUST be set to the reserved MAX-ET value [RFC7432]. * For the per-EVI context, the Ethernet Tag field in the sub-TLV MUST be set to the non-reserved value. 4.3.2. Per-ES EVPN Auto-Discovery Route with Different RDs Section 8.2 of [RFC7432] specifies that a per-ES EVPN A-D route for a given multihomed ES may be advertised more than once with different RD values because many EVIs may be associated with the same ES and Route Targets for all these EVIs may not fit in a single BGP Update message. In this case, the RD value used in the EVPN Ethernet A-D sub-TLV MUST be the RD value received for the EVI in the per-ES EVPN A-D route. 4.3.3. EVPN VPWS LSP Ping can also be used to detect data plane failures for the EVPN VPWS described in [RFC8214]. The Echo Request packet carries the EVPN Ethernet A-D sub-TLV with fields populated from the EVPN Ethernet A-D per-EVI route announced by the egress PE for the EVPN VPWS under test. The Echo Request is sent by the ingress PE using the EVPN MPLS label associated with the EVPN Ethernet A-D route announced by the egress PE and the MPLS transport label(s) to reach the egress PE. The egress PE processes the Echo Request packet and performs checks for the EVPN Ethernet A-D sub-TLV present in the Target FEC Stack TLV as described in Section 4.4 of [RFC8029] and responds according to processing rules in [RFC8029]. The egress PE can identify that the Echo Request is for the EVPN VPWS instance as EVI (identified by the RD) for EVPN VPWS is different from EVI assigned for EVPN. The egress PE will use the information from the EVPN Ethernet A-D sub-TLV in the Target FEC Stack TLV and validate the VLAN state for the EVPN VPWS under test. For the success case, the egress PE will reply with Return Code 3 ("Replying router is an egress for the FEC at stack- depth <RSC>"). 4.4. EVPN IP Prefix Sub-TLV The EVPN IP Prefix sub-TLV identifies the IP prefix for an EVI under test at a peer PE. The EVPN IP Prefix sub-TLV fields are derived from the IP Prefix route (RT-5) advertisement defined in [RFC9136]. This sub-TLV only applies to EVPN. The EVPN IP Prefix sub-TLV has the format shown in Figure 4. The total length (not shown) of this sub-TLV MUST be either 32 bytes (if IPv4 addresses are carried) or 56 bytes (if IPv6 addresses are carried). The IP prefix and gateway IP address MUST be from the same IP address family, as described in Section 3.1 of [RFC9136]. The fields of the EVPN IP Prefix sub-TLV should be set according to the following, which is consistent with [RFC9136]: * The Route Distinguisher (RD) field is a 10-octet field and is set to the RD of the IP-VRF on the peer PE. * The Ethernet Tag ID field can be 0 or a valid VLAN ID for EVPN VLAN-aware bundle service [RFC7432]. * The Ethernet Segment Identifier field is a 10-octet field and is set to a valid ESI ID if the ESI is used as an Overlay Index as per Section 3.1 of [RFC9136]. Otherwise, the Ethernet Segment Identifier field is set to 0. * The IP Prefix Len field specifies the number of bits in the IP Prefix field. It is set to a value between 0 and 32 for IPv4 or between 0 to 128 for IPv6. * The IP Prefix field is set to a 4-octet IPv4 address (with trailing 0 bits to make 32 bits in all) or a 16-octet IPv6 address (with trailing 0 bits to make 128 bits in all). The address family of this field is inferred from the sub-TLV length field, as discussed above. * The Gateway (GW) IP Address field is set to a 4-octet IPv4 address or a 16-octet IPv6 address if it's used as an Overlay Index for the IP prefixes. If the GW IP Address is not being used, it must be set to 0 as described in Section 3.1 of [RFC9136]. The address family of this field is inferred from the sub-TLV length field, as discussed above. * The Must Be Zero field is set to 0. The receiving PE should ignore the Must Be Zero field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Route Distinguisher | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Tag ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Segment Identifier | | (10 octets) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Must Be Zero | IP Prefix Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ IP Prefix (4 or 16 octets) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ GW IP Address (4 or 16 octets) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4: EVPN IP Prefix Sub-TLV Format The MPLS Echo Request is sent by the ingress PE using the EVPN MPLS label(s) associated with the IP Prefix route announced by the egress PE and the MPLS transport label(s) to reach the egress PE. 5. Encapsulation of OAM Ping Packets The MPLS Echo Request IP/UDP packets MUST be encapsulated with the Transport and EVPN label(s) followed by the GAL [RFC5586], which is the bottommost label. The GAL is followed by a G-ACh header carrying the IPv4(0x0021) or IPv6(0x0057) Channel Type. The code points for IPv4 and IPv6 channels are defined in the "Generic Associated Channel (G-ACh) Parameters" IANA registry. 6. Operations 6.1. Unicast Data Plane Connectivity Checks Figure 5 is an example of a PBB-EVPN network. CE1 is dual-homed to PE1 and PE2. Assume that PE1 announced a MAC route with RD 192.0.2.1:00 and B-MAC 00-AA-00-BB-00-CC and with MPLS label 16001 for EVI 10. Similarly, PE2 announced a MAC route with RD 203.0.113.2:00 and B-MAC 00-AA-00-BB-00-CC and with MPLS label 16002. On PE3, when an operator performs a connectivity check for the B-MAC address 00-AA-00-BB-00-CC on PE1, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the EVPN MAC/IP sub- TLV in the Echo Request packet. The Echo Request packet is sent with the {Transport label(s) to reach PE1, EVPN label = 16001, GAL} MPLS label stack and IP ACH Channel header. Once the Echo Request packet reaches PE1, PE1 will use the GAL and the IP ACH Channel header to determine if the packet is an IPv4 or IPv6 OAM packet. The PE1 will process the packet and perform checks for the EVPN MAC/IP sub-TLV present in the Target FEC Stack TLV as described in Section 4.4 of [RFC8029] and respond according to the processing rules in [RFC8029]. +-----------------+ | | | | +----+ AC1 +-----+ +-----+ +----+ | CE1|------| | | PE3 |-----| CE2| +----+\ | PE1 | IP/MPLS | | +----+ \ +-----+ Network +-----+ \ | | AC2\ +-----+ | \ | | | \| PE2 | | +-----+ | | | +-----------------+ <-802.1Q-> <------PBB over MPLS------> <-802.1Q-> Figure 5: PBB-EVPN Network Similarly, on PE3, when an operator performs a connectivity check for the B-MAC address 00-AA-00-BB-00-CC on PE2, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the EVPN MAC/IP sub-TLV in the Echo Request packet. The Echo Request packet is sent with the {MPLS Transport label(s) to reach PE2, EVPN label = 16002, GAL} MPLS label stack and IP ACH Channel header. LSP Ping operations for unicast data plane connectivity checks in EVPN are similar to those described above for PBB-EVPN, except that the checks are for C-MAC addresses instead of B-MAC addresses. In EVPN networks, an operator can also perform a MAC state test using an aliasing label for the MAC to verify the MAC state on the egress multihoming PE that did not learn the MAC from the multihomed CE on a local ESI but has announced Ethernet A-D per-EVI and per-ESI routes for the ESI. This is due to the fact that MAC state on multihoming PEs that did not learn the MAC locally get created from EVPN MAC/IP route advertisement from the multihoming PE that has learned the CE's MAC address locally. 6.2. Inclusive Multicast Data Plane Connectivity Checks 6.2.1. Ingress Replication Assume PE1 announced an Inclusive Multicast route for EVI 10, with RD 192.0.2.1:00, Ethernet Tag (ISID 10), PMSI tunnel attribute Tunnel type set to ingress replication, and downstream-assigned Inclusive Multicast MPLS label 17001. Similarly, PE2 announced an Inclusive Multicast route for EVI 10, with RD 203.0.113.2:00, Ethernet Tag (ISID 10), PMSI tunnel attribute Tunnel type set to ingress replication, and downstream-assigned Inclusive Multicast MPLS label 17002. Given CE1 is dual-homed to PE1 and PE2, assume that PE1 is the DF for ISID 10 for the port corresponding to the ESI 11aa.22bb.33cc. 44dd.5500. When an operator at PE3 initiates a connectivity check for the Inclusive Multicast on PE1, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the EVPN Inclusive Multicast sub-TLV in the Echo Request packet. The Echo Request packet is sent with the {Transport label(s) to reach PE1, EVPN Inclusive Multicast label = 17001, GAL} MPLS label stack and IP ACH Channel header. Once the Echo Request packet reaches PE1, PE1 will use the GAL and the IP ACH Channel header to determine if the packet is an IPv4 or IPv6 OAM packet. The packet will have the EVPN Inclusive Multicast label. PE1 will process the packet and perform checks for the EVPN Inclusive Multicast sub-TLV present in the Target FEC Stack TLV as described in Section 4.4 of [RFC8029] and respond according to the processing rules in [RFC8029]. For the success case, PE1 will reply with Return Code 3 ("Replying router is an egress for the FEC at stack-depth <RSC>"). Similarly, an operator at PE3 may initiate an LSP Ping to PE2 with the Target FEC Stack TLV containing the EVPN Inclusive Multicast sub- TLV in the Echo Request packet. The Echo Request packet is sent with the {Transport label(s) to reach PE2, EVPN Inclusive Multicast label = 17002, GAL} MPLS label stack and IP ACH Channel header. Once the Echo Request packet reaches PE2, PE2 will use the GAL and the IP ACH Channel header to determine if the packet is an IPv4 or IPv6 OAM packet. The processing on PE2 will be similar to that on PE1 as described above. For the success case, PE2 will reply with Return Code 3 ("Replying router is an egress for the FEC at stack-depth <RSC>") as per [RFC8029]. In an Echo Request packet for EVPN, a combination of an EVPN Ethernet A-D sub-TLV and the associated MPLS Split Horizon label, immediately preceding the GAL in the MPLS label stack, may be used to emulate traffic coming from a multihomed site. The Split Horizon label is used by leaf PE(s) attached to the same multihomed site to prevent forwarding of packets back to the multihomed site. If the behavior on a leaf PE is to not forward the packet to the multihomed site on the ESI identified by the EVPN Ethernet A-D sub-TLV because of Split Horizon filtering, the PE will reply with Return Code 37 (see Section 8) and drop the BUM packets on the ES corresponding to the ESI received in the EVPN Ethernet A-D sub-TLV because of the Split Horizon Group filtering. 6.2.2. Using P2MP P-Tree Both Inclusive P-tree and Aggregate Inclusive P-tree can be used in EVPN or PBB-EVPN networks. When using an Inclusive P-tree arrangement, the P2MP P-tree transport label itself is used to identify the L2 service associated with the Inclusive Multicast route. This L2 service could be a Customer Bridge or a Provider Backbone Bridge. For an Inclusive P-tree arrangement, when an operator performs a connectivity check for the multicast L2 service, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the EVPN Inclusive Multicast sub-TLV in the Echo Request packet. The Echo Request packet is sent over P2MP LSP with the {P2MP P-tree Transport label, GAL} MPLS label stack and IP ACH Channel header. When using an Aggregate Inclusive P-tree arrangement, a PE announces an upstream-assigned MPLS label along with the P-tree ID, so both the P2MP P-tree MPLS transport label and the upstream MPLS label can be used to identify the L2 service. For an Aggregate Inclusive P-tree arrangement, when an operator performs a connectivity check for the multicast L2 service, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the EVPN Inclusive Multicast sub-TLV in the Echo Request packet. The Echo Request packet is sent over P2MP LSP using the IP- ACH Control channel with the {P2MP P-tree Transport label, EVPN upstream-assigned Multicast label, GAL} MPLS label stack and IP ACH Channel header. The leaf PE(s) of the P2MP P-tree will process the packet and perform checks for the EVPN Inclusive Multicast sub-TLV present in the Target FEC Stack TLV as described in Section 4.4 of [RFC8029] and respond according to the processing rules in [RFC8029]. For the success case, the leaf PE will reply with Return Code 3 ("Replying router is an egress for the FEC at stack-depth <RSC>"). In an Echo Request packet for EVPN, a combination of an EVPN Ethernet A-D sub-TLV and the associated MPLS Split Horizon label, immediately preceding the GAL in the MPLS label stack, may be used to emulate traffic coming from a multihomed site. When using P2MP P-tree, the Split Horizon label is upstream assigned and is received by all the leaf PEs of the P2MP P-tree. The Split Horizon label is used by leaf PE(s) attached to the same multihomed site so that packets will not be forwarded back to the multihomed site. If the behavior on a leaf PE is to not forward the packet to the multihomed site on the ESI in the EVPN Ethernet A-D sub-TLV because of Split Horizon filtering, the PE will reply with Return Code 37 (see Section 8) and drop the BUM packets on the ES corresponding to the ESI received in the EVPN Ethernet A-D sub-TLV because of the Split Horizon Group filtering. If the leaf PE does not have the ESI identified in the EVPN Ethernet A-D sub-TLV, the PE MAY reply with Return Code 38 (see Section 8), and the BUM packets are forwarded because there is no ES corresponding to the ESI received in the EVPN Ethernet A-D sub-TLV. 6.2.3. Controlling Echo Responses When Using P2MP P-Tree The procedures described in [RFC6425] for preventing congestion of Echo Responses (Echo Jitter TLV) and limiting the Echo Reply to a single egress node (P2MP Responder Identifier TLV with either the IPv4 Node Address P2MP Responder sub-TLV or the IPv6 Node Address P2MP Responder sub-TLV) can be applied to LSP Ping in EVPN and PBB- EVPN when using P2MP P-trees for BUM traffic. 6.3. EVPN Aliasing Data Plane Connectivity Check Assume PE1 announced an Ethernet A-D per-EVI route with the ESI set to CE1 system ID and MPLS label 19001. Additionally, assume PE2 announced an Ethernet A-D per-EVI route with the ESI set to CE1 system ID and MPLS label 19002. At PE3, when an operator performs a connectivity check for the aliasing aspect of the EVPN Ethernet A-D route on PE1, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the EVPN Ethernet A-D sub-TLV in the Echo Request packet. The Echo Request packet is sent with the {Transport label(s) to reach PE1, EVPN Ethernet A-D label 19001, GAL} MPLS label stack and IP ACH Channel header. When PE1 receives the packet, it will process the packet and perform checks for the EVPN Ethernet A-D sub-TLV present in the Target FEC Stack TLV as described in Section 4.4 of [RFC8029] and respond according to the processing rules in [RFC8029]. 6.4. EVPN IP Prefix (RT-5) Data Plane Connectivity Check Assume PE1 in Figure 5 announced an IP Prefix route (RT-5) with an IP prefix reachable behind CE1 and MPLS label 20001. When an operator on PE3 performs a connectivity check for the IP prefix on PE1, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the EVPN IP Prefix sub-TLV in the Echo Request packet. The Echo Request packet is sent with the {Transport label(s) to reach PE1, EVPN IP Prefix label 20001 } MPLS label stack. When PE1 receives the packet, it will process the packet and perform checks for the EVPN IP Prefix sub-TLV present in the Target FEC Stack TLV as described in Section 4.4 of [RFC8029] and respond according to the processing rules in [RFC8029]. 7. Security Considerations This document does not introduce any new security considerations beyond those that apply in [RFC7432], [RFC7623], and [RFC6425]. Furthermore, the security considerations discussed in [RFC8029] apply to this document and need to be considered. As described in [RFC8029], these security considerations are: * A Denial-of-Service (DoS) attack by sending MPLS Echo Requests/ Replies to Label Switching Routers (LSRs) and thereby increasing their workload. * Obfuscating the state of the MPLS data plane liveness by spoofing, hijacking, replaying, or otherwise tampering with MPLS Echo Requests and Replies. * Obtaining information about the network through an unauthorized source using an LSP Ping. There are mitigations described in [RFC8029]. The same mitigations can be applied to the LSP Ping procedures described in this document; thus, this document doesn't require additional security considerations beyond the ones described in [RFC8029]. This document does not introduce any new privacy concerns because these TLVs contain the same information that are present in data packets and EVPN routes. 8. IANA Considerations 8.1. Sub-TLV Type This document defines four new sub-TLV types to be included in the Target FEC Stack TLV (TLV types 1, 16, and 21) [RFC9041] in Echo Request and Echo Reply messages in EVPN and PBB-EVPN networks. IANA has assigned the following values from the "Standards Action" (0-16383) range in the "Sub-TLVs for TLV Types 1, 16, and 21" subregistry within the "TLVs" registry of the "Multiprotocol Label Switching (MPLS) Label Switched Paths (LSPs) Ping Parameters" name space. +==========+==============================+===========+ | Sub-Type | Sub-TLV Name | Reference | +==========+==============================+===========+ | 42 | EVPN MAC/IP | RFC 9489 | +----------+------------------------------+-----------+ | 43 | EVPN Inclusive Multicast | RFC 9489 | +----------+------------------------------+-----------+ | 44 | EVPN Ethernet Auto-Discovery | RFC 9489 | +----------+------------------------------+-----------+ | 45 | EVPN IP Prefix | RFC 9489 | +----------+------------------------------+-----------+ Table 1 8.2. New Return Codes [RFC8029] defines values for the Return Code field of Echo Reply messages. This document defines two new Return Codes that SHOULD be included in the Echo Reply message by a PE in response to an Echo Request message in EVPN and PBB-EVPN networks. IANA has assigned the following values in the "Return Codes" registry of the "Multiprotocol Label Switching (MPLS) Label Switched Paths (LSPs) Ping Parameters" name space. +=======+=============================================+===========+ | Value | Meaning | Reference | +=======+=============================================+===========+ | 37 | Replying router is egress for the FEC at | RFC 9489 | | | the stack depth. In addition, the BUM | | | | packets are dropped on the ES corresponding | | | | to the ESI received in the EVPN Ethernet | | | | Auto-Discovery sub-TLV because of the Split | | | | Horizon Group filtering. | | +-------+---------------------------------------------+-----------+ | 38 | Replying router is egress for the FEC at | RFC 9489 | | | the stack depth. In addition, the BUM | | | | packets are forwarded because there is no | | | | ES corresponding to the ESI received in the | | | | EVPN Ethernet Auto-Discovery sub-TLV. | | +-------+---------------------------------------------+-----------+ Table 2 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter, "Multiprotocol Extensions for BGP-4", RFC 4760, DOI 10.17487/RFC4760, January 2007, <https://www.rfc-editor.org/info/rfc4760>. [RFC5586] Bocci, M., Ed., Vigoureux, M., Ed., and S. Bryant, Ed., "MPLS Generic Associated Channel", RFC 5586, DOI 10.17487/RFC5586, June 2009, <https://www.rfc-editor.org/info/rfc5586>. [RFC6425] Saxena, S., Ed., Swallow, G., Ali, Z., Farrel, A., Yasukawa, S., and T. Nadeau, "Detecting Data-Plane Failures in Point-to-Multipoint MPLS - Extensions to LSP Ping", RFC 6425, DOI 10.17487/RFC6425, November 2011, <https://www.rfc-editor.org/info/rfc6425>. [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, <https://www.rfc-editor.org/info/rfc7432>. [RFC7623] Sajassi, A., Ed., Salam, S., Bitar, N., Isaac, A., and W. Henderickx, "Provider Backbone Bridging Combined with Ethernet VPN (PBB-EVPN)", RFC 7623, DOI 10.17487/RFC7623, September 2015, <https://www.rfc-editor.org/info/rfc7623>. [RFC8029] Kompella, K., Swallow, G., Pignataro, C., Ed., Kumar, N., Aldrin, S., and M. Chen, "Detecting Multiprotocol Label Switched (MPLS) Data-Plane Failures", RFC 8029, DOI 10.17487/RFC8029, March 2017, <https://www.rfc-editor.org/info/rfc8029>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8214] Boutros, S., Sajassi, A., Salam, S., Drake, J., and J. Rabadan, "Virtual Private Wire Service Support in Ethernet VPN", RFC 8214, DOI 10.17487/RFC8214, August 2017, <https://www.rfc-editor.org/info/rfc8214>. [RFC9041] Andersson, L., Chen, M., Pignataro, C., and T. Saad, "Updating the MPLS Label Switched Paths (LSPs) Ping Parameters IANA Registry", RFC 9041, DOI 10.17487/RFC9041, July 2021, <https://www.rfc-editor.org/info/rfc9041>. [RFC9136] Rabadan, J., Ed., Henderickx, W., Drake, J., Lin, W., and A. Sajassi, "IP Prefix Advertisement in Ethernet VPN (EVPN)", RFC 9136, DOI 10.17487/RFC9136, October 2021, <https://www.rfc-editor.org/info/rfc9136>. Acknowledgments The authors would like to thank Loa Andersson, Alexander Vainshtein, Ron Sdayoor, Jim Guichard, Lars Eggert, John Scudder, Éric Vyncke, Warren Kumari, Patrice Brissette, and Weiguo Hao for their valuable comments. Authors' Addresses Parag Jain Cisco Canada Email: paragj@cisco.com Ali Sajassi Cisco United States of America Email: sajassi@cisco.com Samer Salam Cisco Canada Email: ssalam@cisco.com Sami Boutros Ciena United States of America Email: sboutros@ciena.com Greg Mirsky Ericsson United States of America Email: gregimirsky@gmail.com